From 4715b3b708e97d85336cb930cfb5cec8e4cf5065 Mon Sep 17 00:00:00 2001
From: Hangyu Hua <hbh25y@gmail.com>
Date: Mon, 21 Feb 2022 21:21:00 +0800
Subject: [PATCH] yam: fix a memory leak in yam_siocdevprivate()

mainline inclusion
from mainline-v5.17-rc2
commit 29eb31542787e1019208a2e1047bb7c76c069536
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4U4NY
CVE: CVE-2022-24959

-------------------------------------------------

ym needs to be free when ym->cmd != SIOCYAMSMCS.

Fixes: 0781168e23a2 ("yam: fix a missing-check bug")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

conflict:
	The bug is in function yam_siocdevprivate() in mainline,
but it is in function yam_ioctl() because the function name is
changed in 25ec92fbdd("hamradio: use ndo_siocdevprivate") in
mainline.

Signed-off-by: Lu Wei <luwei32@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/net/hamradio/yam.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c
index ba9df430fca6..f124ceab5f5e 100644
--- a/drivers/net/hamradio/yam.c
+++ b/drivers/net/hamradio/yam.c
@@ -966,9 +966,7 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 				 sizeof(struct yamdrv_ioctl_mcs));
 		if (IS_ERR(ym))
 			return PTR_ERR(ym);
-		if (ym->cmd != SIOCYAMSMCS)
-			return -EINVAL;
-		if (ym->bitrate > YAM_MAXBITRATE) {
+		if (ym->cmd != SIOCYAMSMCS || ym->bitrate > YAM_MAXBITRATE) {
 			kfree(ym);
 			return -EINVAL;
 		}
-- 
GitLab